New TrickMo Android Malware Variant Leverages TON Blockchain for Hidden Command Channels

Security researchers have uncovered a new variant of the TrickMo Android banking trojan that exploits The Open Network (TON) blockchain to conceal its command-and-control (C2) communications, making detection significantly harder. The malware is currently being distributed in campaigns targeting users across Europe, with new remote control capabilities that allow attackers to execute fraudulent transactions and steal credentials.

Key Findings

According to a report from cybersecurity firm Cleafy, the updated TrickMo variant introduces commands that can capture one-time passwords from SMS messages, overlay fraudulent screens on legitimate banking apps, and perform device takeovers. "By embedding its C2 traffic within TON's decentralized network, the malware avoids traditional server-based detection methods," explains Luca Rossi, senior threat analyst at Cleafy.

The use of TON — a blockchain originally developed by Telegram — represents a significant evolution in malware communication strategies. Instead of connecting to a fixed IP address or domain, TrickMo transmits encrypted commands through the blockchain's distributed ledger, making it nearly impossible for security tools to block.

Technical Details

The malware intercepts two-factor authentication codes and can respond to server requests via smart contracts. This method ensures that even if one node is taken down, the decentralized nature of TON keeps the C2 infrastructure alive.

Cleafy's analysis shows that the new variant communicates with the attacker-controlled TON wallet by polling the blockchain for transaction data containing encoded instructions. "It's a clever but dangerous way to turn a transparent public ledger into a hidden messenger," adds Rossi.

Operational Commands

• Start overlay: Injects phishing screens over financial apps
• Grab SMS: Intercepts and forwards all incoming text messages
• Push notifications: Displays fake security alerts to trick users into granting permissions
• Self-destruct: Removes all traces of infection from the device

Background

TrickMo first emerged in 2019 as a banking trojan targeting German and Swiss financial institutions. Earlier variants relied on HTTP-based C2 servers that were quickly blacklisted by security vendors. The shift to TON blockchain for communications began in early 2024.

TON, launched in 2018, is a high-performance blockchain designed for micropayments and decentralized apps. Its validator nodes are spread globally, providing natural resilience against takedowns. This same feature now makes it attractive to cybercriminals seeking stealthy C2 channels.

What This Means

The adoption of blockchain technology for malware operations signals a new arms race. Traditional network-level security measures — such as blacklisting IPs or domains — are ineffective against decentralized C2 systems. Mobile security solutions must now monitor blockchain transactions for suspicious patterns.

For Android users in Europe, the immediate risk is highest during the current campaign. Users should avoid sideloading apps, keep Google Play Protect enabled, and report any unusual SMS requests. Financial institutions are advised to implement behavioral anomaly detection that flags device takeover attempts